Outlook “Patch” Spam Leads to Keyloggers

Hot on the heels of the spam campaigns involving emails which purport to come from the IRS, HMRC, and from your IT department comes another round of fake “notification” spam emails — this time, warning users to download and install a patch for the Outlook and Outlook Express email clients.

Like the previous rounds, the file a victim is prompted to download and (hopefully, won’t) install is the prolific, widely-disseminated keylogger we call Progdav (aka “Zbot”). The faux Web page which hosts the malicious file is dressed up to look like a Microsoft Update page, titled “Update for Microsoft Outlook / Outlook Express (KB910737).” In an attempt to legitimize the payload, the page states “This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.”

The “update” file/Trojan installer is named officexp-KB910737-FullFile-ENU.exe and comes in at just under 100KB, which puts it in the welterweight class of Stupid Malware Trickery. A cursory glance at the Microsoft Knowledge Base Web site reveals the hardly-surprising fact that, no, there is no Knowledge Base article 910737.

Like virtually all the Progdav samples we’re seeing in recent months, this information-stealing Trojan is a universal data thief. It steals login passwords for Web sites, both as you enter them and from the Protected Storage area, where the browser keeps your “saved” passwords; stored Web browser cookies; FTP account details; POP3 email usernames and passwords; and it keeps track of the Web sites you visit. It disables the Internet Explorer anti-phishing filter, and monitors the contents of the Clipboard, so passwords you copy from one location and paste into another location aren’t safe, even if you never actually type them into a login page from an infected PC.

Our standard advice remains in place here: Avoid following links sent via email regarding updates to standard Windows components. Microsoft doesn’t email its customers about updates, and has other mechanisms, including Automatic Updates, to ensure that the folks who need them will get updates. Don’t download patches or updates to Microsoft products from anywhere other than Microsoft.com, and if you’re really concerned, double-check the Knowledge Base “KB” number to make sure you’re getting what you expect.

And when an untrustworthy link leads you to an untrustworthy page which begs you to “Please download and install the file…” please, don’t.

[…] organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who […]

[…] organizations (both in the US and elsewhere), trade groups, or financial institutions, or even Microsoft itself. The A-list organizations spoofed by these campaigns read like a Fortune 100 who’s who […]

[…] as those targeting the IRS, CDC, Visa, and other organizations, as well as software programs like Microsoft Outlook, or Web sites such as Facebook), the URL contains the email address to which the original message […]

[…] The people who distribute Trojan applications like Trojan-Backdoor-Zbot, in the guise of a wide variety of frauds, make no distinction between your credit card or email password. The Trojan simply takes […]